2

I am from visaul basic background and newly entered into asp.net mvc world. So, kindly bear with me if question sound small. I need to implement custom authorize attribute and have seen various samples overriding 'OnAuthorization' or 'AuthorizeCore'. Also have read that we should not override 'OnAuthorization' because it stores result in cache. But really didn't understand actual difference between them.

Can you please provide me some link that shows when to override any of them or whether we can use both simultaneously.

thanks Arun

Erik Funkenbusch
  • 92,674
  • 28
  • 195
  • 291
Arun
  • 29
  • 1
  • 3
  • I don't understand why being "from visual basic" has anything to do with it. You can write an mvc app in visual basic. Regardless, Why do you think you need a custom authorization attribute? 9 times out of 10 people wrongly assume they need a custom one when they don't. What do you need to do that you think can't be done with normal authorization? – Erik Funkenbusch May 03 '15 at 05:57
  • I am talking about VB 6 here and now i need to deal with web development using mvc framework. Current authorize attribute has roles, users but i need to differentiate permission based on priviledges.Hope m clear enough. – Arun May 04 '15 at 04:52
  • Roles are no different from privileges. It's just a name assigned to an access right. Sounds more like you want Claim based authentication, which is available in ASP.NET Identity (and still uses standard Authroize Attribute). Replacing the authorize attribute is usually the wrong way to go about custom authentication and authorization. – Erik Funkenbusch May 04 '15 at 06:29
  • Erik-The current application doesn't have fixed roles i.e. users of my app would be able to create whatever roles they want, and assign users and permissions to that role.In that way i can't use [Authorize(Roles="admin", Users="Some name")] because i don't know the role names and obviously user names either. – Arun May 05 '15 at 07:54
  • In that case, yes... It's one of the few cases where creating a new attribute is required. In any event, you want to put your authorization logic in AuthorizeCore. You can tell by the function signatures. OnAuthorize returns void. AuthorizeCore returns bool. Obviously, you want to return a Boolean to indicate valid authorization or not. You would only override OnAuthorize (or OnCacheAuthorize) if you needed to change the way the internal attribute worked, which you probably don't. – Erik Funkenbusch May 05 '15 at 09:20
  • 1
    Can you provide me some links or documentation that explains my concern in deep. – Arun May 06 '15 at 00:26
  • Possible duplicate of [Extend AuthorizeAttribute Override AuthorizeCore or OnAuthorization](http://stackoverflow.com/questions/6860686/extend-authorizeattribute-override-authorizecore-or-onauthorization) – Vishal_Kotecha Oct 06 '16 at 09:26
  • See this SO question & the accepted answer: http://stackoverflow.com/questions/6860686/extend-authorizeattribute-override-authorizecore-or-onauthorization – jazzcat Oct 30 '16 at 11:34
  • This should help: https://stackoverflow.com/questions/6860686/extend-authorizeattribute-override-authorizecore-or-onauthorization – Maelstrom Oct 27 '17 at 14:24

0 Answers0